Corporate acquisitions just became a cybersecurity nightmare for WordPress users. A plugin developer portfolio with installations across thousands of sites was quietly acquired and subsequently backdoored—compromising more than 20,000 active WordPress installations. The malicious code lay dormant for eight months before springing to life, injecting spam and creating persistent backdoors that survive even WordPress’s forced security updates.
How the Blockchain-Powered Backdoor Works
Attackers used Ethereum smart contracts to evade traditional security measures and maintain control.
The backdoor landed in version 2.6.7, released last August, but stayed silent until this month. Here’s the clever part: attackers weaponized the legitimate wpos-analytics module, turning it into a PHP deserialization vulnerability that phones home for instructions.
Instead of using traditional command-and-control servers that can be taken down, the malware queries Ethereum blockchain contracts to find its next target. Think of it like a treasure map that can’t be destroyed—attackers simply update the smart contract to point to new domains whenever old ones get blocked.
The backdoor then creates a fake file called wp-comments-posts.php (notice the extra ‘s’) and injects massive PHP blocks into your wp-config.php, establishing permanent access.
WordPress’s Patch Doesn’t Actually Fix Everything
The forced update only disabled the phone-home mechanism while leaving dangerous code intact.
WordPress pushed version 2.6.9.1 to affected sites automatically, but here’s the problem: the fix only stopped the backdoor from calling home. All that injected PHP code sitting in wp-config.php? Still there. Still serving hidden spam content to Google’s crawlers while you remain blissfully unaware.
According to security researcher Austin Ginder of Anchor Hosting, this represents “the second hijack of a WordPress plugin discovered in as many weeks,” suggesting a troubling trend in supply chain targeting.
What You Need to Do Right Now
Don’t just update—completely remove compromised plugins and manually clean your files.
If you’re running WordPress sites, stop reading and start auditing:
- Remove any compromised plugins entirely—don’t trust updates to clean them
- Manually scrub your
wp-config.phpfiles for injected code blocks - Run comprehensive malware scans using tools like Wordfence or Sucuri
- Change every administrative password on affected sites
- Consider restoring from clean backups if you have them from before August 2025
The forced update bought you time, not safety.
WordPress users face a systemic vulnerability: no notification system exists when plugin ownership changes hands. You’re flying blind into potential supply chain attacks, making this incident unlikely to be the last.
